Phishing is one of the most prevalent forms of cybercrime. In these attacks, cyber criminals attempt to steal sensitive information, such as usernames, passwords, or other private data which they then use and sell. Typically, this is achieved by sending a large volume of emails, texts or social media messages that create a sense of urgency. When the victims click on the link provided, they are directed to a malicious website. Spear-phishing is a more targeted form of phishing. Instead of sending out mass messages, the attacker focuses on a specific individual and crafts well-thought-out emails to trick them into taking action. This requires the attacker to gather as much information about the victim as possible.
The content of these emails may include the victim’s name, the names of their close relatives, professional information, or even details about a family emergency. The goal is to create a sense of urgency that compels the recipient to click the link.
Current State
There are some alarming statistics that highlight just how widespread and damaging these attacks have become:
Prevalence. In 2023, nearly 94% of organisations worldwide faced spear-phishing attacks, underscoring how commonly attackers use personalised tactics to breach defences.
Financial Impact. According to IBM’s Cost of a Data Breach Report 2023, spear-phishing attacks can cost businesses an average of $4.91 million due to the extended time they often go undetected.
Success Rate. Spear-phishing emails have a higher success rate, with open rates of 50%, compared to just 12-14% for more general phishing attempts.
Credential Theft. A significant portion of spear-phishing campaigns, 43%, result in stolen credentials, according to the 2022 Verizon Data Breach Investigations Report. These credentials are often used to gain deeper access to company networks, allowing attackers to escalate their breach further.
Business Email Compromise. The FBI’s 2022 Internet Crime Report highlighted that Business Email Compromise (BEC), often initiated by spear-phishing, resulted in over $2.7 billion in losses in 2022 alone.
Data Breaches. Spear-phishing emails comprise less than 0.1% of all emails sent but prompt 66% of all data breaches.
Human Error. One of the reasons spear-phishing is so effective is its ability to exploit human error. A staggering 85% of successful attacks can be traced back to the manipulation of the victim.
As with most scams, spear-phishing typically aims to generate significant financial gains. Attackers achieve this by tricking victims into making payments or directing them to fake websites to steal their credentials. However, these campaigns can also have other damaging objectives:
Spreading Malware. An attacker might impersonate someone within a company to persuade the victim to click on an email attachment. Once clicked, the file automatically installs malware.
Stealing Credentials. Instead of targeting bank account credentials to steal money, an attacker might obtain work access credentials to stage a larger cyber-attack.
Stealing Information. An attacker could impersonate a colleague to request sensitive reports.
After defining their objectives, attackers select suitable targets. For financial gain, they might target a wealthy individual. For access to confidential documents, they might focus on a specific IT employee. The attacker then conducts extensive research on the target and crafts a convincing email.
Real World Examples
Fraud on Institute of Education Financial Management (iGeFe) in Portugal
In June of 2024, iGeFe experienced a fraud where 2.5 Million Euros were transferred to the wrong bank account. This occurred through three transfers to an IBAN belonging to another entity. The error was found when the actual company providing IT services to iGeFe complained about not receiving payment.
This was a typical case of CEO fraud. The attacker impersonated the company employee responsible for the contract and sent a well-crafted email with correct references, bills, and payment deadlines. However, the attacker requested the payment to be made to a different IBAN. The request was accepted without proper validation by the victim’s services, leading to the successful execution of the fraud.
Viseu City Council Energy Bill Fraud
The Municipality of Viseu in Portugal fell victim to a sophisticated cyber fraud scheme, resulting in a loss of nearly 600,000 Euros.
The scam unfolded when attackers, intercepted a real invoice from Galp Energia and made the necessary changes to “register” a new Galp IBAN in the municipality’s database. This new IBAN was from the same bank as the previous one, to avoid raising suspicion.
The scam was initially detected when Galp noticed that the payment wasn’t made successfully. The municipality sent a copy of the payment request, along with proof of payment and the corresponding IBAN, only to discover that the IBAN was incorrect. Someone had intercepted a document from GALP and sent it to the municipality to change the IBAN.
In 2022, there was an international incident where emails, supposedly from Portugal, were sent to several ambassadors from NATO countries.
These emails featured the Portuguese coat of arms and links to a malicious HTML file. To appear more trustworthy, these emails were written in English and used common storage websites, like Dropbox or GoogleDrive to spread the malware. When a victim clicked on the link, the malicious file activated, creating a backdoor into the computer.
Prevention
Phishing attacks are notoriously challenging to defend against because traditional cybersecurity tools often fail to detect them. Spear-phishing is even more difficult to block due to its highly targeted and personalised approach making fraudulent messages appear more credible. Training campaigns can help better identify these instances and encourage reporting rather than replying or complying.
Guidelines to identify a spear-phishing scam:
The email creates a sense of urgency or panic.
Requests of sensitive information.
Links that are misspelled or strangely formatted, which, when hovered over, do not lead to the correct destination.
Unsolicited attachments
Pretexting, such as claiming that login credentials are about to expire.
Security awareness training is fundamental in preventing phishing attacks, especially when many users work home. However, even the best-trained and most security-conscious employees may occasionally click on a malicious link, either because they are in a hurry, or because the phishing attempt was very convincing.
To reduce the chance of a successful spear phishing attack, organisations should:
Deliver training sessions. Teach techniques for recognising suspicious emails, and tips to avoid oversharing on social networks, making it harder for attackers to gather information.
Write and maintain policies and processes. Establish guidelines for counteracting scams, such as not opening messages with unsolicited attachments.
Implement identity and access management. Use like role-based access control and multi-factor authentication to prevent attackers from gaining access to user accounts.
Scan the properties of received messages. Check security headers and attachments for malicious content.
Conduct periodic phishing and spear-phishing simulations.
In summary, spear-phishing remains a threat in the cybersecurity landscape, evidenced by its widespread impact and financial consequences. Its personalised nature and ability to exploit human error make it particularly dangerous, with many successful attacks traced back to victim manipulation.
To effectively counter these attacks, organisations and individuals must adopt robust prevention strategies. This includes comprehensive training programmes, stringent security policies, and the deployment of advanced technologies.
As the threat landscape continues to evolve, ongoing education and adaptation of security practices are crucial to maintaining strong defences against these cyber threats.
About the author
João Pedro Martins Machado is a Cybersecurity Analyst at the Foundation for Science and Technology (FCT), working within the digital services unit FCCN. With two years of experience, Joao specializes in protecting critical networks and information systems. He holds a degree in Computer Engineering and plays a pivotal role in analysing security incidents, conducting comprehensive security audits, and maintaining the robust security posture of FCCN, FCT digital services. Joao’s passion for uncovering vulnerabilities and ethical hacking drives his dedication to the cybersecurity field. Outside of work, you may find him giving handball training, playing with his dogs, or engaging in cybersecurity challenges on Try Hack Me.
Also this year GÉANT joins the European Cyber Security Month, with the campaign ‘Your brain is the first line of defence‘. Read articles from cyber security experts within our community, watch the videos, and download campaign resources on connect.geant.org/csm24
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behaviour or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
